From 502cced40c1564032ffceeb2d7aa7c12eb18aae6 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 13 Jul 2016 10:21:09 -0700 Subject: [PATCH 1/5] minor fixes --- windows/plan/windows-10-servicing-options.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md index 8a2347918c..6ac55f7ffc 100644 --- a/windows/plan/windows-10-servicing-options.md +++ b/windows/plan/windows-10-servicing-options.md @@ -34,14 +34,13 @@ This new model uses simpler deployment methods, reducing the overall amount of e The concept of branching goes back many years, and represents how Windows has traditionally been written and serviced. Each release of Windows was from a particular branch of the Windows code, and updates would be made to that release for the lifecycle of that release. This concept still applies now with Windows 10, but is much more visible because it is incorporated directly into the servicing model. -With Windows 10, Microsoft has implemented the following new servicing options: - -![branches](images/branch.png) +Microsoft has implemented the following new servicing options in Windows 10: **Windows Insider Program**: To see new features before they are released, to provide feedback on those new features, and to initially validate compatibility with existing applications and hardware, a small number of PCs can leverage the Windows Insider Program branch. These are typically dedicated lab machines used for IT testing, secondary PCs used by IT administrators, and other non-critical devices.
**Current Branch (CB)**: For early adopters, IT teams, and other broader piloting groups, the Current Branch (CB) can be used to further validate application compatibility and newly-released features.
**Current Branch for Business (CBB)**. For the majority of people in an organization, the Current Branch for Business (CBB) allows for a staged deployment of new features over a longer period of time.
**Long-Term Servicing Branch (LTSB)**: For critical or specialized devices (for example, operation of factory floor machinery, point-of-sale systems, automated teller machines), the Long-Term Servicing Branch (LTSB) provides a version of Windows 10 Enterprise that receives no new features, while continuing to be supported with security and other updates for a long time. (Note that the Long-Term Servicing Branch is a separate Windows 10 Enterprise image, with many in-box apps, including Microsoft Edge, Cortana, and Windows Store, removed.)
+![branches](images/branch.png) These servicing options provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible. Most organizations will leverage all of these choices, with the mix determined by how individual PCs are used. Some examples are shown in the table below: @@ -52,8 +51,8 @@ These servicing options provide pragmatic solutions to keep more devices more cu | Pharmaceuticals | <1% | 10% | 50% | 40% | | Consulting | 10% | 50% | 35% | 5% | | Software developer | 30% | 60% | 5% | 5% | - -Because every organization is different, the exact breakdown will vary even within a specific industry; these should be considered only examples, not specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch. +
+Because every organization is different, the exact breakdown will vary even within a specific industry. The examples shown above should not be taken as specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch. - Retailers often have critical devices (for example, point-of-sale systems) in stores which results in higher percentages of PCs on the Long-Term Servicing Branch. But those used by information workers in support of the retail operations would leverage Current Branch for Business to receive new features. @@ -67,7 +66,7 @@ Because every organization is different, the exact breakdown will vary even with Note that there are few, if any, scenarios where an entire organization would use the Long-Term Servicing Branch for all PCs – or even for a majority of them. -In addition to implementing these new servicing options, Microsoft streamlined the Windows product engineering and release cycle so that Microsoft can deliver new features, experiences, and functionality more quickly than ever. Microsoft also created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. +With these new servicing options, Microsoft streamlined the Windows product engineering and release cycle so that Microsoft can deliver new features, experiences, and functionality more quickly than ever. Microsoft also created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. Windows 10 enables organizations to fulfill the desire to provide users with the latest features while balancing the need for manageability and cost control. To keep pace with technology, there are good business reasons to keep a significant portion of your enterprise's devices *current* with the latest release of Windows. From a3df99fa4415415ea4575c5a1a2fbbfe93305087 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 13 Jul 2016 13:19:40 -0700 Subject: [PATCH 2/5] updated changelog --- .../change-history-for-manage-and-update-windows-10.md | 6 ++++++ .../change-history-for-plan-for-windows-10-deployment.md | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 603af6fbde..70d3844c1a 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -12,6 +12,12 @@ author: jdeckerMS This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## July 2016 + +| New or changed topic | Description | +| ---|---| +| [Windows 10 servicing options](introduction-to-windows-10-servicing.md) | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](windows-10-servicing-options.md). | + ## June 2016 | New or changed topic | Description | diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md index 4f0b96a684..72d9279a2f 100644 --- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md @@ -13,6 +13,13 @@ author: TrudyHa This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## July 2016 + + +| New or changed topic | Description | +|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| +| [Windows 10 servicing overview](windows-10-servicing-options.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](introduction-to-windows-10-servicing) page.| + ## May 2016 From 8f1b6eeeb8772733cd43c45457bc85372bfe3130 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 13 Jul 2016 13:53:36 -0700 Subject: [PATCH 3/5] updated changelog --- .../manage/change-history-for-manage-and-update-windows-10.md | 2 +- .../plan/change-history-for-plan-for-windows-10-deployment.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 70d3844c1a..fe90ebb58f 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -16,7 +16,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | ---|---| -| [Windows 10 servicing options](introduction-to-windows-10-servicing.md) | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](windows-10-servicing-options.md). | +| [Windows 10 servicing options](introduction-to-windows-10-servicing.md) | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). | ## June 2016 diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md index 72d9279a2f..51c36c6953 100644 --- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md @@ -18,7 +18,7 @@ This topic lists new and updated topics in the [Plan for Windows 10 deployment]( | New or changed topic | Description | |--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| -| [Windows 10 servicing overview](windows-10-servicing-options.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](introduction-to-windows-10-servicing) page.| +| [Windows 10 servicing overview](windows-10-servicing-options.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md) page. | ## May 2016 From 8193062545c88a9b2171aec99353f70817a5e4a2 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 13 Jul 2016 15:36:43 -0700 Subject: [PATCH 4/5] redirecting credential guard and applocker --- windows/whats-new/applocker.md | 1 + windows/whats-new/credential-guard.md | 1 + .../whats-new/whats-new-windows-10-version-1511.md | 13 ++++++++++++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md index 1c14abc6dc..48ac0556a8 100644 --- a/windows/whats-new/applocker.md +++ b/windows/whats-new/applocker.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in AppLocker? diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md index 48f7a4f853..885f9f4e3a 100644 --- a/windows/whats-new/credential-guard.md +++ b/windows/whats-new/credential-guard.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in Credential Guard? diff --git a/windows/whats-new/whats-new-windows-10-version-1511.md b/windows/whats-new/whats-new-windows-10-version-1511.md index c4cb4f3014..2e3cad2ea6 100644 --- a/windows/whats-new/whats-new-windows-10-version-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1511.md @@ -32,7 +32,18 @@ For Windows 10-based devices, you can use your MDM server to directly deploy cl In Windows 10, [Microsoft Passport](~/keep-secure/manage-identity-verification-using-microsoft-passport.md) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. -Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. + +### Credential Guard + +The following Credential Guard features were added in Windows 10, version 1511. + +- **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations: + - Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials. + - Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials. + - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. +- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy. +- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled. ## Management From f3e8fddff3c5cc70077bdd07fd25c40c0ad8cbb7 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 13 Jul 2016 15:48:13 -0700 Subject: [PATCH 5/5] redirecting other what's new topics --- windows/whats-new/bitlocker.md | 1 + windows/whats-new/security-auditing.md | 1 + windows/whats-new/trusted-platform-module.md | 1 + windows/whats-new/user-account-control.md | 1 + .../whats-new-windows-10-version-1511.md | 33 ++++++++++++++----- 5 files changed, 29 insertions(+), 8 deletions(-) diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md index 4e9d0f7b61..128d29fdc0 100644 --- a/windows/whats-new/bitlocker.md +++ b/windows/whats-new/bitlocker.md @@ -7,6 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security, mobile author: brianlic-msft +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in BitLocker? diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md index 13c6a7e5b8..446912aa1d 100644 --- a/windows/whats-new/security-auditing.md +++ b/windows/whats-new/security-auditing.md @@ -7,6 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft ms.pagetype: security, mobile +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in security auditing? diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md index 18a325aa7f..e30d99b83d 100644 --- a/windows/whats-new/trusted-platform-module.md +++ b/windows/whats-new/trusted-platform-module.md @@ -7,6 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security, mobile author: brianlic-msft +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in Trusted Platform Module? diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md index fad8ee0ff5..ebee1b9403 100644 --- a/windows/whats-new/user-account-control.md +++ b/windows/whats-new/user-account-control.md @@ -7,6 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: brianlic-msft +redirect_url: whats-new-windows-10-version-1511.md --- # What's new in User Account Control? diff --git a/windows/whats-new/whats-new-windows-10-version-1511.md b/windows/whats-new/whats-new-windows-10-version-1511.md index 2e3cad2ea6..21442a52f1 100644 --- a/windows/whats-new/whats-new-windows-10-version-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1511.md @@ -23,16 +23,15 @@ With Windows 10, you can create provisioning packages that let you quickly and e ## Security -### Easier certificate management +### Bitlocker +The following Bitlocker features were added in Windows 10, version 1511. -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](~/keep-secure/installing-digital-certificates-on-windows-10-mobile.md) - -### Microsoft Passport - -In Windows 10, [Microsoft Passport](~/keep-secure/manage-identity-verification-using-microsoft-passport.md) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. - -Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. + It provides the following benefits: + - The algorithm is FIPS-compliant. + - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. + >**Note:**  Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. ### Credential Guard @@ -45,6 +44,24 @@ The following Credential Guard features were added in Windows 10, version 1511. - **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy. - **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled. +### Easier certificate management + + +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](~/keep-secure/installing-digital-certificates-on-windows-10-mobile.md) + +### Microsoft Passport + +In Windows 10, [Microsoft Passport](~/keep-secure/manage-identity-verification-using-microsoft-passport.md) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. + +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. + +### Security auditing + +- The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. + +### Trusted Platform Module + +- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). ## Management